Executive Summary

CVE-2026-35200 is a vulnerability in Parse Server related to file uploads where an attacker can upload a file with a filename extension that passes the allowed extension whitelist (e.g., .txt) but specify a mismatched Content-Type header (e.g., text/html).

The server accepts the Content-Type header without validating that it matches the file extension, passing this mismatched Content-Type to storage adapters like Amazon S3 or Google Cloud Storage. These adapters then serve the file with the attacker-supplied Content-Type, which can lead to security risks such as improper handling or execution of malicious files.

The vulnerability is fixed by enforcing that the Content-Type is derived strictly from the file extension during upload, overriding any user-provided Content-Type when the file has an extension. This prevents attackers from spoofing the Content-Type header.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-35200 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to upload files with a mismatched Content-Type header, causing storage adapters to serve files with incorrect MIME types.

Such mismatches can lead to security risks including stored Cross-Site Scripting (XSS) attacks, where malicious scripts are executed in the context of a trusted domain, potentially compromising user data or session integrity.

Additionally, improper Content-Type handling can cause content spoofing or improper rendering of files by clients, which may lead to further security issues.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a mismatch between the file extension and the Content-Type header during file uploads to Parse Server. Detection involves identifying files uploaded with allowed extensions (e.g., .txt) but served or stored with a mismatched Content-Type header (e.g., text/html).

To detect this on your system or network, you can monitor file uploads and inspect HTTP requests to the Parse Server for discrepancies between the filename extensions and the Content-Type headers.

• Use network traffic capture tools like tcpdump or Wireshark to capture HTTP POST requests to the file upload endpoint and filter for mismatched Content-Type headers.
• Example tcpdump command to capture HTTP traffic on port 80 or 443: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -E 'Content-Type|filename='
• Use curl or similar tools to manually test file uploads with mismatched Content-Type headers and observe server or storage adapter responses.
• Check storage adapters (e.g., S3 or GCS) for files served with Content-Type headers that do not match their file extensions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Parse Server to a fixed version where the vulnerability is resolved: version 8.6.73 or later, or 9.7.1-alpha.4 or later.

These versions enforce that the Content-Type of uploaded files is strictly derived from the file extension, overriding any user-supplied Content-Type header to prevent mismatches.

As an immediate workaround, configure your storage adapters or content delivery networks (CDNs) to derive the Content-Type from the filename extension rather than relying on the stored Content-Type header.

Additionally, review and monitor file upload handling to ensure that files with mismatched Content-Type headers are not accepted or served.

Useful 0 Not Useful 0